| @@ -1,882 +1,889 | |||||
| 1 | #!/bin/sh |
|
1 | #!/bin/sh | |
| 2 |
|
2 | |||
| 3 | ######################################################################## |
|
3 | ######################################################################## | |
| 4 | # rpi2-gen-image.sh ver2a 12/2015 |
|
4 | # rpi2-gen-image.sh ver2a 12/2015 | |
| 5 | # |
|
5 | # | |
| 6 | # Advanced debian "jessie" bootstrap script for RPi2 |
|
6 | # Advanced debian "jessie" bootstrap script for RPi2 | |
| 7 | # |
|
7 | # | |
| 8 | # This program is free software; you can redistribute it and/or |
|
8 | # This program is free software; you can redistribute it and/or | |
| 9 | # modify it under the terms of the GNU General Public License |
|
9 | # modify it under the terms of the GNU General Public License | |
| 10 | # as published by the Free Software Foundation; either version 2 |
|
10 | # as published by the Free Software Foundation; either version 2 | |
| 11 | # of the License, or (at your option) any later version. |
|
11 | # of the License, or (at your option) any later version. | |
| 12 | # |
|
12 | # | |
| 13 | # some parts based on rpi2-build-image: |
|
13 | # some parts based on rpi2-build-image: | |
| 14 | # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org> |
|
14 | # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org> | |
| 15 | # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org> |
|
15 | # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org> | |
| 16 | ######################################################################## |
|
16 | ######################################################################## | |
| 17 |
|
17 | |||
| 18 | # Clean up all temporary mount points |
|
18 | # Clean up all temporary mount points | |
| 19 | cleanup (){ |
|
19 | cleanup (){ | |
| 20 | set +x |
|
20 | set +x | |
| 21 | set +e |
|
21 | set +e | |
| 22 | echo "removing temporary mount points ..." |
|
22 | echo "removing temporary mount points ..." | |
| 23 | umount -l $R/proc 2> /dev/null |
|
23 | umount -l $R/proc 2> /dev/null | |
| 24 | umount -l $R/sys 2> /dev/null |
|
24 | umount -l $R/sys 2> /dev/null | |
| 25 | umount -l $R/dev/pts 2> /dev/null |
|
25 | umount -l $R/dev/pts 2> /dev/null | |
| 26 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null |
|
26 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null | |
| 27 | umount "$BUILDDIR/mount" 2> /dev/null |
|
27 | umount "$BUILDDIR/mount" 2> /dev/null | |
| 28 | losetup -d "$EXT4_LOOP" 2> /dev/null |
|
28 | losetup -d "$EXT4_LOOP" 2> /dev/null | |
| 29 | losetup -d "$VFAT_LOOP" 2> /dev/null |
|
29 | losetup -d "$VFAT_LOOP" 2> /dev/null | |
| 30 | trap - 0 1 2 3 6 |
|
30 | trap - 0 1 2 3 6 | |
| 31 | } |
|
31 | } | |
| 32 |
|
32 | |||
| 33 | set -e |
|
33 | set -e | |
| 34 | set -x |
|
34 | set -x | |
| 35 |
|
35 | |||
| 36 | # Debian release |
|
36 | # Debian release | |
| 37 | RELEASE=${RELEASE:=jessie} |
|
37 | RELEASE=${RELEASE:=jessie} | |
| 38 |
|
38 | |||
| 39 | # Build settings |
|
39 | # Build settings | |
| 40 | BASEDIR=./images/${RELEASE} |
|
40 | BASEDIR=./images/${RELEASE} | |
| 41 | BUILDDIR=${BASEDIR}/build |
|
41 | BUILDDIR=${BASEDIR}/build | |
| 42 |
|
42 | |||
| 43 | # General settings |
|
43 | # General settings | |
| 44 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} |
|
44 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} | |
| 45 | PASSWORD=${PASSWORD:=raspberry} |
|
45 | PASSWORD=${PASSWORD:=raspberry} | |
| 46 | DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"} |
|
46 | DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"} | |
| 47 | TIMEZONE=${TIMEZONE:="Europe/Berlin"} |
|
47 | TIMEZONE=${TIMEZONE:="Europe/Berlin"} | |
| 48 | XKBMODEL=${XKBMODEL:=""} |
|
48 | XKBMODEL=${XKBMODEL:=""} | |
| 49 | XKBLAYOUT=${XKBLAYOUT:=""} |
|
49 | XKBLAYOUT=${XKBLAYOUT:=""} | |
| 50 | XKBVARIANT=${XKBVARIANT:=""} |
|
50 | XKBVARIANT=${XKBVARIANT:=""} | |
| 51 | XKBOPTIONS=${XKBOPTIONS:=""} |
|
51 | XKBOPTIONS=${XKBOPTIONS:=""} | |
| 52 |
|
52 | |||
| 53 | # APT settings |
|
53 | # APT settings | |
| 54 | APT_PROXY=${APT_PROXY:=""} |
|
54 | APT_PROXY=${APT_PROXY:=""} | |
| 55 | APT_SERVER=${APT_SERVER:="ftp.debian.org"} |
|
55 | APT_SERVER=${APT_SERVER:="ftp.debian.org"} | |
| 56 |
|
56 | |||
| 57 | # Feature settings |
|
57 | # Feature settings | |
| 58 | ENABLE_CONSOLE=${ENABLE_CONSOLE:=true} |
|
58 | ENABLE_CONSOLE=${ENABLE_CONSOLE:=true} | |
| 59 | ENABLE_IPV6=${ENABLE_IPV6:=true} |
|
59 | ENABLE_IPV6=${ENABLE_IPV6:=true} | |
| 60 | ENABLE_SSHD=${ENABLE_SSHD:=true} |
|
60 | ENABLE_SSHD=${ENABLE_SSHD:=true} | |
| 61 | ENABLE_SOUND=${ENABLE_SOUND:=true} |
|
61 | ENABLE_SOUND=${ENABLE_SOUND:=true} | |
| 62 | ENABLE_DBUS=${ENABLE_DBUS:=true} |
|
62 | ENABLE_DBUS=${ENABLE_DBUS:=true} | |
| 63 | ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} |
|
63 | ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} | |
| 64 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} |
|
64 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} | |
| 65 | ENABLE_XORG=${ENABLE_XORG:=false} |
|
65 | ENABLE_XORG=${ENABLE_XORG:=false} | |
| 66 | ENABLE_WM=${ENABLE_WM:=""} |
|
66 | ENABLE_WM=${ENABLE_WM:=""} | |
| 67 |
|
67 | |||
| 68 | # Advanced settings |
|
68 | # Advanced settings | |
| 69 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} |
|
69 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} | |
| 70 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} |
|
70 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} | |
| 71 | ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} |
|
71 | ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} | |
| 72 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} |
|
72 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} | |
| 73 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} |
|
73 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} | |
| 74 |
|
74 | |||
| 75 | # Image chroot path |
|
75 | # Image chroot path | |
| 76 | R=${BUILDDIR}/chroot |
|
76 | R=${BUILDDIR}/chroot | |
| 77 |
|
77 | |||
| 78 | # Packages required for bootstrapping |
|
78 | # Packages required for bootstrapping | |
| 79 | REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core" |
|
79 | REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core" | |
| 80 |
|
80 | |||
| 81 | # Missing packages that need to be installed |
|
81 | # Missing packages that need to be installed | |
| 82 | MISSING_PACKAGES="" |
|
82 | MISSING_PACKAGES="" | |
| 83 |
|
83 | |||
| 84 | # Packages required in the chroot build environment |
|
84 | # Packages required in the chroot build environment | |
| 85 | APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo" |
|
85 | APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo" | |
| 86 |
|
86 | |||
| 87 | set +x |
|
87 | set +x | |
| 88 |
|
88 | |||
| 89 | # Are we running as root? |
|
89 | # Are we running as root? | |
| 90 | if [ "$(id -u)" -ne "0" ] ; then |
|
90 | if [ "$(id -u)" -ne "0" ] ; then | |
| 91 | echo "this script must be executed with root privileges" |
|
91 | echo "this script must be executed with root privileges" | |
| 92 | exit 1 |
|
92 | exit 1 | |
| 93 | fi |
|
93 | fi | |
| 94 |
|
94 | |||
| 95 | # Check if all required packages are installed |
|
95 | # Check if all required packages are installed | |
| 96 | for package in $REQUIRED_PACKAGES ; do |
|
96 | for package in $REQUIRED_PACKAGES ; do | |
| 97 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then |
|
97 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then | |
| 98 | MISSING_PACKAGES="$MISSING_PACKAGES $package" |
|
98 | MISSING_PACKAGES="$MISSING_PACKAGES $package" | |
| 99 | fi |
|
99 | fi | |
| 100 | done |
|
100 | done | |
| 101 |
|
101 | |||
| 102 | # Ask if missing packages should get installed right now |
|
102 | # Ask if missing packages should get installed right now | |
| 103 | if [ -n "$MISSING_PACKAGES" ] ; then |
|
103 | if [ -n "$MISSING_PACKAGES" ] ; then | |
| 104 | echo "the following packages needed by this script are not installed:" |
|
104 | echo "the following packages needed by this script are not installed:" | |
| 105 | echo "$MISSING_PACKAGES" |
|
105 | echo "$MISSING_PACKAGES" | |
| 106 |
|
106 | |||
| 107 | echo -n "\ndo you want to install the missing packages right now? [y/n] " |
|
107 | echo -n "\ndo you want to install the missing packages right now? [y/n] " | |
| 108 | read confirm |
|
108 | read confirm | |
| 109 | if [ "$confirm" != "y" ] ; then |
|
109 | if [ "$confirm" != "y" ] ; then | |
| 110 | exit 1 |
|
110 | exit 1 | |
| 111 | fi |
|
111 | fi | |
| 112 | fi |
|
112 | fi | |
| 113 |
|
113 | |||
| 114 | # Make sure all required packages are installed |
|
114 | # Make sure all required packages are installed | |
| 115 | apt-get -qq -y install ${REQUIRED_PACKAGES} |
|
115 | apt-get -qq -y install ${REQUIRED_PACKAGES} | |
| 116 |
|
116 | |||
| 117 | # Don't clobber an old build |
|
117 | # Don't clobber an old build | |
| 118 | if [ -e "$BUILDDIR" ]; then |
|
118 | if [ -e "$BUILDDIR" ]; then | |
| 119 | echo "directory $BUILDDIR already exists, not proceeding" |
|
119 | echo "directory $BUILDDIR already exists, not proceeding" | |
| 120 | exit 1 |
|
120 | exit 1 | |
| 121 | fi |
|
121 | fi | |
| 122 |
|
122 | |||
| 123 | set -x |
|
123 | set -x | |
| 124 |
|
124 | |||
| 125 | # Call "cleanup" function on various signals and errors |
|
125 | # Call "cleanup" function on various signals and errors | |
| 126 | trap cleanup 0 1 2 3 6 |
|
126 | trap cleanup 0 1 2 3 6 | |
| 127 |
|
127 | |||
| 128 | # Set up chroot directory |
|
128 | # Set up chroot directory | |
| 129 | mkdir -p $R |
|
129 | mkdir -p $R | |
| 130 |
|
130 | |||
| 131 | # Add required packages for the minbase installation |
|
131 | # Add required packages for the minbase installation | |
| 132 | if [ "$ENABLE_MINBASE" = true ] ; then |
|
132 | if [ "$ENABLE_MINBASE" = true ] ; then | |
| 133 | APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools" |
|
133 | APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools" | |
| 134 | else |
|
134 | else | |
| 135 | APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup" |
|
135 | APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup" | |
| 136 | fi |
|
136 | fi | |
| 137 |
|
137 | |||
| 138 | # Add dbus package, recommended if using systemd |
|
138 | # Add dbus package, recommended if using systemd | |
| 139 | if [ "$ENABLE_DBUS" = true ] ; then |
|
139 | if [ "$ENABLE_DBUS" = true ] ; then | |
| 140 | APT_INCLUDES="${APT_INCLUDES},dbus" |
|
140 | APT_INCLUDES="${APT_INCLUDES},dbus" | |
| 141 | fi |
|
141 | fi | |
| 142 |
|
142 | |||
| 143 | # Add iptables IPv4/IPv6 package |
|
143 | # Add iptables IPv4/IPv6 package | |
| 144 | if [ "$ENABLE_IPTABLES" = true ] ; then |
|
144 | if [ "$ENABLE_IPTABLES" = true ] ; then | |
| 145 | APT_INCLUDES="${APT_INCLUDES},iptables" |
|
145 | APT_INCLUDES="${APT_INCLUDES},iptables" | |
| 146 | fi |
|
146 | fi | |
| 147 |
|
147 | |||
| 148 | # Add openssh server package |
|
148 | # Add openssh server package | |
| 149 | if [ "$ENABLE_SSHD" = true ] ; then |
|
149 | if [ "$ENABLE_SSHD" = true ] ; then | |
| 150 | APT_INCLUDES="${APT_INCLUDES},openssh-server" |
|
150 | APT_INCLUDES="${APT_INCLUDES},openssh-server" | |
| 151 | fi |
|
151 | fi | |
| 152 |
|
152 | |||
| 153 | # Add alsa-utils package |
|
153 | # Add alsa-utils package | |
| 154 | if [ "$ENABLE_SOUND" = true ] ; then |
|
154 | if [ "$ENABLE_SOUND" = true ] ; then | |
| 155 | APT_INCLUDES="${APT_INCLUDES},alsa-utils" |
|
155 | APT_INCLUDES="${APT_INCLUDES},alsa-utils" | |
| 156 | fi |
|
156 | fi | |
| 157 |
|
157 | |||
| 158 | # Add rng-tools package |
|
158 | # Add rng-tools package | |
| 159 | if [ "$ENABLE_HWRANDOM" = true ] ; then |
|
159 | if [ "$ENABLE_HWRANDOM" = true ] ; then | |
| 160 | APT_INCLUDES="${APT_INCLUDES},rng-tools" |
|
160 | APT_INCLUDES="${APT_INCLUDES},rng-tools" | |
| 161 | fi |
|
161 | fi | |
| 162 |
|
162 | |||
| 163 | # Add fbturbo video driver |
|
163 | # Add fbturbo video driver | |
| 164 | if [ "$ENABLE_FBTURBO" = true ] ; then |
|
164 | if [ "$ENABLE_FBTURBO" = true ] ; then | |
| 165 | # Enable xorg package dependencies |
|
165 | # Enable xorg package dependencies | |
| 166 | ENABLE_XORG=true |
|
166 | ENABLE_XORG=true | |
| 167 | fi |
|
167 | fi | |
| 168 |
|
168 | |||
| 169 | # Add user defined window manager package |
|
169 | # Add user defined window manager package | |
| 170 | if [ -n "$ENABLE_WM" ] ; then |
|
170 | if [ -n "$ENABLE_WM" ] ; then | |
| 171 | APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}" |
|
171 | APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}" | |
| 172 |
|
172 | |||
| 173 | # Enable xorg package dependencies |
|
173 | # Enable xorg package dependencies | |
| 174 | ENABLE_XORG=true |
|
174 | ENABLE_XORG=true | |
| 175 | fi |
|
175 | fi | |
| 176 |
|
176 | |||
| 177 | # Add xorg package |
|
177 | # Add xorg package | |
| 178 | if [ "$ENABLE_XORG" = true ] ; then |
|
178 | if [ "$ENABLE_XORG" = true ] ; then | |
| 179 | APT_INCLUDES="${APT_INCLUDES},xorg" |
|
179 | APT_INCLUDES="${APT_INCLUDES},xorg" | |
| 180 | fi |
|
180 | fi | |
| 181 |
|
181 | |||
| 182 | # Base debootstrap (unpack only) |
|
182 | # Base debootstrap (unpack only) | |
| 183 | if [ "$ENABLE_MINBASE" = true ] ; then |
|
183 | if [ "$ENABLE_MINBASE" = true ] ; then | |
| 184 | http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian |
|
184 | http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian | |
| 185 | else |
|
185 | else | |
| 186 | http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian |
|
186 | http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian | |
| 187 | fi |
|
187 | fi | |
| 188 |
|
188 | |||
| 189 | # Copy qemu emulator binary to chroot |
|
189 | # Copy qemu emulator binary to chroot | |
| 190 | cp /usr/bin/qemu-arm-static $R/usr/bin |
|
190 | cp /usr/bin/qemu-arm-static $R/usr/bin | |
| 191 |
|
191 | |||
| 192 | # Copy debian-archive-keyring.pgp |
|
192 | # Copy debian-archive-keyring.pgp | |
| 193 | chroot $R mkdir -p /usr/share/keyrings |
|
193 | chroot $R mkdir -p /usr/share/keyrings | |
| 194 | cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg |
|
194 | cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg | |
| 195 |
|
195 | |||
| 196 | # Complete the bootstrapping process |
|
196 | # Complete the bootstrapping process | |
| 197 | chroot $R /debootstrap/debootstrap --second-stage |
|
197 | chroot $R /debootstrap/debootstrap --second-stage | |
| 198 |
|
198 | |||
| 199 | # Mount required filesystems |
|
199 | # Mount required filesystems | |
| 200 | mount -t proc none $R/proc |
|
200 | mount -t proc none $R/proc | |
| 201 | mount -t sysfs none $R/sys |
|
201 | mount -t sysfs none $R/sys | |
| 202 | mount --bind /dev/pts $R/dev/pts |
|
202 | mount --bind /dev/pts $R/dev/pts | |
| 203 |
|
203 | |||
| 204 | # Use proxy inside chroot |
|
204 | # Use proxy inside chroot | |
| 205 | if [ -z "$APT_PROXY" ] ; then |
|
205 | if [ -z "$APT_PROXY" ] ; then | |
| 206 | echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy |
|
206 | echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy | |
| 207 | fi |
|
207 | fi | |
| 208 |
|
208 | |||
| 209 | # Pin package flash-kernel to repositories.collabora.co.uk |
|
209 | # Pin package flash-kernel to repositories.collabora.co.uk | |
| 210 | cat <<EOM >$R/etc/apt/preferences.d/flash-kernel |
|
210 | cat <<EOM >$R/etc/apt/preferences.d/flash-kernel | |
| 211 | Package: flash-kernel |
|
211 | Package: flash-kernel | |
| 212 | Pin: origin repositories.collabora.co.uk |
|
212 | Pin: origin repositories.collabora.co.uk | |
| 213 | Pin-Priority: 1000 |
|
213 | Pin-Priority: 1000 | |
| 214 | EOM |
|
214 | EOM | |
| 215 |
|
215 | |||
| 216 | # Set up timezone |
|
216 | # Set up timezone | |
| 217 | echo ${TIMEZONE} >$R/etc/timezone |
|
217 | echo ${TIMEZONE} >$R/etc/timezone | |
| 218 | LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata |
|
218 | LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata | |
| 219 |
|
219 | |||
| 220 | # Upgrade collabora package index and install collabora keyring |
|
220 | # Upgrade collabora package index and install collabora keyring | |
| 221 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list |
|
221 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list | |
| 222 | LANG=C chroot $R apt-get -qq -y update |
|
222 | LANG=C chroot $R apt-get -qq -y update | |
| 223 | LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring |
|
223 | LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring | |
| 224 |
|
224 | |||
| 225 | # Set up initial sources.list |
|
225 | # Set up initial sources.list | |
| 226 | cat <<EOM >$R/etc/apt/sources.list |
|
226 | cat <<EOM >$R/etc/apt/sources.list | |
| 227 | deb http://${APT_SERVER}/debian ${RELEASE} main contrib |
|
227 | deb http://${APT_SERVER}/debian ${RELEASE} main contrib | |
| 228 | #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib |
|
228 | #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib | |
| 229 |
|
229 | |||
| 230 | deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib |
|
230 | deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib | |
| 231 | #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib |
|
231 | #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib | |
| 232 |
|
232 | |||
| 233 | deb http://security.debian.org/ ${RELEASE}/updates main contrib |
|
233 | deb http://security.debian.org/ ${RELEASE}/updates main contrib | |
| 234 | #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib |
|
234 | #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib | |
| 235 |
|
235 | |||
| 236 | deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 |
|
236 | deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 | |
| 237 | EOM |
|
237 | EOM | |
| 238 |
|
238 | |||
| 239 | # Upgrade package index and update all installed packages and changed dependencies |
|
239 | # Upgrade package index and update all installed packages and changed dependencies | |
| 240 | LANG=C chroot $R apt-get -qq -y update |
|
240 | LANG=C chroot $R apt-get -qq -y update | |
| 241 | LANG=C chroot $R apt-get -qq -y -u dist-upgrade |
|
241 | LANG=C chroot $R apt-get -qq -y -u dist-upgrade | |
| 242 |
|
242 | |||
| 243 | # Set up default locale and keyboard configuration |
|
243 | # Set up default locale and keyboard configuration | |
| 244 | if [ "$ENABLE_MINBASE" = false ] ; then |
|
244 | if [ "$ENABLE_MINBASE" = false ] ; then | |
| 245 | # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug |
|
245 | # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug | |
| 246 | # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957 |
|
246 | # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957 | |
| 247 | # ... so we have to set locales manually |
|
247 | # ... so we have to set locales manually | |
| 248 | if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then |
|
248 | if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then | |
| 249 | LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections |
|
249 | LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections | |
| 250 | else |
|
250 | else | |
| 251 | # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale |
|
251 | # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale | |
| 252 | LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections |
|
252 | LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections | |
| 253 | LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen |
|
253 | LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen | |
| 254 | fi |
|
254 | fi | |
| 255 | LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen |
|
255 | LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen | |
| 256 | LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections |
|
256 | LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections | |
| 257 | LANG=C chroot $R locale-gen |
|
257 | LANG=C chroot $R locale-gen | |
| 258 | LANG=C chroot $R update-locale LANG=${DEFLOCAL} |
|
258 | LANG=C chroot $R update-locale LANG=${DEFLOCAL} | |
| 259 |
|
259 | |||
| 260 | # Keyboard configuration, if requested |
|
260 | # Keyboard configuration, if requested | |
| 261 | if [ "$XKBMODEL" != "" ] ; then |
|
261 | if [ "$XKBMODEL" != "" ] ; then | |
| 262 | LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard |
|
262 | LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard | |
| 263 | fi |
|
263 | fi | |
| 264 | if [ "$XKBLAYOUT" != "" ] ; then |
|
264 | if [ "$XKBLAYOUT" != "" ] ; then | |
| 265 | LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard |
|
265 | LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard | |
| 266 | fi |
|
266 | fi | |
| 267 | if [ "$XKBVARIANT" != "" ] ; then |
|
267 | if [ "$XKBVARIANT" != "" ] ; then | |
| 268 | LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard |
|
268 | LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard | |
| 269 | fi |
|
269 | fi | |
| 270 | if [ "$XKBOPTIONS" != "" ] ; then |
|
270 | if [ "$XKBOPTIONS" != "" ] ; then | |
| 271 | LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard |
|
271 | LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard | |
| 272 | fi |
|
272 | fi | |
| 273 | LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration |
|
273 | LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration | |
| 274 | # Set up font console |
|
274 | # Set up font console | |
| 275 | case "${DEFLOCAL}" in |
|
275 | case "${DEFLOCAL}" in | |
| 276 | *UTF-8) |
|
276 | *UTF-8) | |
| 277 | LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup |
|
277 | LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup | |
| 278 | ;; |
|
278 | ;; | |
| 279 | *) |
|
279 | *) | |
| 280 | LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup |
|
280 | LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup | |
| 281 | ;; |
|
281 | ;; | |
| 282 | esac |
|
282 | esac | |
| 283 | LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup |
|
283 | LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup | |
| 284 | fi |
|
284 | fi | |
| 285 |
|
285 | |||
| 286 | # Kernel installation |
|
286 | # Kernel installation | |
| 287 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot |
|
287 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot | |
| 288 | LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2 |
|
288 | LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2 | |
| 289 | LANG=C chroot $R apt-get -qq -y install flash-kernel |
|
289 | LANG=C chroot $R apt-get -qq -y install flash-kernel | |
| 290 |
|
290 | |||
| 291 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" |
|
291 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" | |
| 292 | [ -z "$VMLINUZ" ] && exit 1 |
|
292 | [ -z "$VMLINUZ" ] && exit 1 | |
| 293 | mkdir -p $R/boot/firmware |
|
293 | mkdir -p $R/boot/firmware | |
| 294 |
|
294 | |||
| 295 | # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") |
|
295 | # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") | |
| 296 | wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin |
|
296 | wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin | |
| 297 | wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat |
|
297 | wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat | |
| 298 | wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat |
|
298 | wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat | |
| 299 | wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat |
|
299 | wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat | |
| 300 | wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf |
|
300 | wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf | |
| 301 | wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf |
|
301 | wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf | |
| 302 | wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf |
|
302 | wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf | |
| 303 | cp $VMLINUZ $R/boot/firmware/kernel7.img |
|
303 | cp $VMLINUZ $R/boot/firmware/kernel7.img | |
| 304 |
|
304 | |||
| 305 | # Set up IPv4 hosts |
|
305 | # Set up IPv4 hosts | |
| 306 | echo ${HOSTNAME} >$R/etc/hostname |
|
306 | echo ${HOSTNAME} >$R/etc/hostname | |
| 307 | cat <<EOM >$R/etc/hosts |
|
307 | cat <<EOM >$R/etc/hosts | |
| 308 | 127.0.0.1 localhost |
|
308 | 127.0.0.1 localhost | |
| 309 | 127.0.1.1 ${HOSTNAME} |
|
309 | 127.0.1.1 ${HOSTNAME} | |
| 310 | EOM |
|
310 | EOM | |
| 311 |
|
311 | |||
| 312 | # Set up IPv6 hosts |
|
312 | # Set up IPv6 hosts | |
| 313 | if [ "$ENABLE_IPV6" = true ] ; then |
|
313 | if [ "$ENABLE_IPV6" = true ] ; then | |
| 314 | cat <<EOM >>$R/etc/hosts |
|
314 | cat <<EOM >>$R/etc/hosts | |
| 315 |
|
315 | |||
| 316 | ::1 localhost ip6-localhost ip6-loopback |
|
316 | ::1 localhost ip6-localhost ip6-loopback | |
| 317 | ff02::1 ip6-allnodes |
|
317 | ff02::1 ip6-allnodes | |
| 318 | ff02::2 ip6-allrouters |
|
318 | ff02::2 ip6-allrouters | |
| 319 | EOM |
|
319 | EOM | |
| 320 | fi |
|
320 | fi | |
| 321 |
|
321 | |||
| 322 | # Place hint about network configuration |
|
322 | # Place hint about network configuration | |
| 323 | cat <<EOM >$R/etc/network/interfaces |
|
323 | cat <<EOM >$R/etc/network/interfaces | |
| 324 | # Debian switched to systemd-networkd configuration files. |
|
324 | # Debian switched to systemd-networkd configuration files. | |
| 325 | # please configure your networks in '/etc/systemd/network/' |
|
325 | # please configure your networks in '/etc/systemd/network/' | |
| 326 | EOM |
|
326 | EOM | |
| 327 |
|
327 | |||
| 328 | # Enable systemd-networkd DHCP configuration for interface eth0 |
|
328 | # Enable systemd-networkd DHCP configuration for interface eth0 | |
| 329 | cat <<EOM >$R/etc/systemd/network/eth.network |
|
329 | cat <<EOM >$R/etc/systemd/network/eth.network | |
| 330 | [Match] |
|
330 | [Match] | |
| 331 | Name=eth0 |
|
331 | Name=eth0 | |
| 332 |
|
332 | |||
| 333 | [Network] |
|
333 | [Network] | |
| 334 | DHCP=yes |
|
334 | DHCP=yes | |
| 335 | EOM |
|
335 | EOM | |
| 336 |
|
336 | |||
| 337 | # Set DHCP configuration to IPv4 only |
|
337 | # Set DHCP configuration to IPv4 only | |
| 338 | if [ "$ENABLE_IPV6" = false ] ; then |
|
338 | if [ "$ENABLE_IPV6" = false ] ; then | |
| 339 | sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network |
|
339 | sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network | |
| 340 | fi |
|
340 | fi | |
| 341 |
|
341 | |||
| 342 | # Enable systemd-networkd service |
|
342 | # Enable systemd-networkd service | |
| 343 | LANG=C chroot $R systemctl enable systemd-networkd |
|
343 | LANG=C chroot $R systemctl enable systemd-networkd | |
| 344 |
|
344 | |||
| 345 | # Generate crypt(3) password string |
|
345 | # Generate crypt(3) password string | |
| 346 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` |
|
346 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` | |
| 347 |
|
347 | |||
| 348 | # Set up default user |
|
348 | # Set up default user | |
| 349 | LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi |
|
349 | LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi | |
| 350 | LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi |
|
350 | LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi | |
| 351 |
|
351 | |||
| 352 | # Set up root password |
|
352 | # Set up root password | |
| 353 | LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root |
|
353 | LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root | |
| 354 |
|
354 | |||
| 355 | # Set up firmware boot cmdline |
|
355 | # Set up firmware boot cmdline | |
| 356 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" |
|
356 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" | |
| 357 |
|
357 | |||
| 358 | # Set up serial console support (if requested) |
|
358 | # Set up serial console support (if requested) | |
| 359 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
359 | if [ "$ENABLE_CONSOLE" = true ] ; then | |
| 360 | CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200" |
|
360 | CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200" | |
| 361 | fi |
|
361 | fi | |
| 362 |
|
362 | |||
| 363 | # Set up IPv6 networking support |
|
363 | # Set up IPv6 networking support | |
| 364 | if [ "$ENABLE_IPV6" = false ] ; then |
|
364 | if [ "$ENABLE_IPV6" = false ] ; then | |
| 365 | CMDLINE="${CMDLINE} ipv6.disable=1" |
|
365 | CMDLINE="${CMDLINE} ipv6.disable=1" | |
| 366 | fi |
|
366 | fi | |
| 367 |
|
367 | |||
| 368 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt |
|
368 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt | |
| 369 |
|
369 | |||
| 370 | # Set up firmware config |
|
370 | # Set up firmware config | |
| 371 | cat <<EOM >$R/boot/firmware/config.txt |
|
371 | cat <<EOM >$R/boot/firmware/config.txt | |
| 372 | # For more options and information see |
|
372 | # For more options and information see | |
| 373 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md |
|
373 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md | |
| 374 | # Some settings may impact device functionality. See link above for details |
|
374 | # Some settings may impact device functionality. See link above for details | |
| 375 |
|
375 | |||
| 376 | # uncomment if you get no picture on HDMI for a default "safe" mode |
|
376 | # uncomment if you get no picture on HDMI for a default "safe" mode | |
| 377 | #hdmi_safe=1 |
|
377 | #hdmi_safe=1 | |
| 378 |
|
378 | |||
| 379 | # uncomment this if your display has a black border of unused pixels visible |
|
379 | # uncomment this if your display has a black border of unused pixels visible | |
| 380 | # and your display can output without overscan |
|
380 | # and your display can output without overscan | |
| 381 | #disable_overscan=1 |
|
381 | #disable_overscan=1 | |
| 382 |
|
382 | |||
| 383 | # uncomment the following to adjust overscan. Use positive numbers if console |
|
383 | # uncomment the following to adjust overscan. Use positive numbers if console | |
| 384 | # goes off screen, and negative if there is too much border |
|
384 | # goes off screen, and negative if there is too much border | |
| 385 | #overscan_left=16 |
|
385 | #overscan_left=16 | |
| 386 | #overscan_right=16 |
|
386 | #overscan_right=16 | |
| 387 | #overscan_top=16 |
|
387 | #overscan_top=16 | |
| 388 | #overscan_bottom=16 |
|
388 | #overscan_bottom=16 | |
| 389 |
|
389 | |||
| 390 | # uncomment to force a console size. By default it will be display's size minus |
|
390 | # uncomment to force a console size. By default it will be display's size minus | |
| 391 | # overscan. |
|
391 | # overscan. | |
| 392 | #framebuffer_width=1280 |
|
392 | #framebuffer_width=1280 | |
| 393 | #framebuffer_height=720 |
|
393 | #framebuffer_height=720 | |
| 394 |
|
394 | |||
| 395 | # uncomment if hdmi display is not detected and composite is being output |
|
395 | # uncomment if hdmi display is not detected and composite is being output | |
| 396 | #hdmi_force_hotplug=1 |
|
396 | #hdmi_force_hotplug=1 | |
| 397 |
|
397 | |||
| 398 | # uncomment to force a specific HDMI mode (this will force VGA) |
|
398 | # uncomment to force a specific HDMI mode (this will force VGA) | |
| 399 | #hdmi_group=1 |
|
399 | #hdmi_group=1 | |
| 400 | #hdmi_mode=1 |
|
400 | #hdmi_mode=1 | |
| 401 |
|
401 | |||
| 402 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in |
|
402 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in | |
| 403 | # DMT (computer monitor) modes |
|
403 | # DMT (computer monitor) modes | |
| 404 | #hdmi_drive=2 |
|
404 | #hdmi_drive=2 | |
| 405 |
|
405 | |||
| 406 | # uncomment to increase signal to HDMI, if you have interference, blanking, or |
|
406 | # uncomment to increase signal to HDMI, if you have interference, blanking, or | |
| 407 | # no display |
|
407 | # no display | |
| 408 | #config_hdmi_boost=4 |
|
408 | #config_hdmi_boost=4 | |
| 409 |
|
409 | |||
| 410 | # uncomment for composite PAL |
|
410 | # uncomment for composite PAL | |
| 411 | #sdtv_mode=2 |
|
411 | #sdtv_mode=2 | |
| 412 |
|
412 | |||
| 413 | # uncomment to overclock the arm. 700 MHz is the default. |
|
413 | # uncomment to overclock the arm. 700 MHz is the default. | |
| 414 | #arm_freq=800 |
|
414 | #arm_freq=800 | |
| 415 | EOM |
|
415 | EOM | |
| 416 |
|
416 | |||
| 417 | # Load snd_bcm2835 kernel module at boot time |
|
417 | # Load snd_bcm2835 kernel module at boot time | |
| 418 | if [ "$ENABLE_SOUND" = true ] ; then |
|
418 | if [ "$ENABLE_SOUND" = true ] ; then | |
| 419 | echo "snd_bcm2835" >>$R/etc/modules |
|
419 | echo "snd_bcm2835" >>$R/etc/modules | |
| 420 | fi |
|
420 | fi | |
| 421 |
|
421 | |||
| 422 | # Set smallest possible GPU memory allocation size: 16MB (no X) |
|
422 | # Set smallest possible GPU memory allocation size: 16MB (no X) | |
| 423 | if [ "$ENABLE_MINGPU" = true ] ; then |
|
423 | if [ "$ENABLE_MINGPU" = true ] ; then | |
| 424 | echo "gpu_mem=16" >>$R/boot/firmware/config.txt |
|
424 | echo "gpu_mem=16" >>$R/boot/firmware/config.txt | |
| 425 | fi |
|
425 | fi | |
| 426 |
|
426 | |||
| 427 | # Create symlinks |
|
427 | # Create symlinks | |
| 428 | ln -sf firmware/config.txt $R/boot/config.txt |
|
428 | ln -sf firmware/config.txt $R/boot/config.txt | |
| 429 | ln -sf firmware/cmdline.txt $R/boot/cmdline.txt |
|
429 | ln -sf firmware/cmdline.txt $R/boot/cmdline.txt | |
| 430 |
|
430 | |||
| 431 | # Prepare modules-load.d directory |
|
431 | # Prepare modules-load.d directory | |
| 432 | mkdir -p $R/lib/modules-load.d/ |
|
432 | mkdir -p $R/lib/modules-load.d/ | |
| 433 |
|
433 | |||
| 434 | # Load random module on boot |
|
434 | # Load random module on boot | |
| 435 | if [ "$ENABLE_HWRANDOM" = true ] ; then |
|
435 | if [ "$ENABLE_HWRANDOM" = true ] ; then | |
| 436 | cat <<EOM >$R/lib/modules-load.d/rpi2.conf |
|
436 | cat <<EOM >$R/lib/modules-load.d/rpi2.conf | |
| 437 | bcm2708_rng |
|
437 | bcm2708_rng | |
| 438 | EOM |
|
438 | EOM | |
| 439 | fi |
|
439 | fi | |
| 440 |
|
440 | |||
| 441 | # Prepare modprobe.d directory |
|
441 | # Prepare modprobe.d directory | |
| 442 | mkdir -p $R/etc/modprobe.d/ |
|
442 | mkdir -p $R/etc/modprobe.d/ | |
| 443 |
|
443 | |||
| 444 | # Blacklist sound modules |
|
444 | # Blacklist sound modules | |
| 445 | cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf |
|
445 | cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf | |
| 446 | blacklist snd_soc_core |
|
446 | blacklist snd_soc_core | |
| 447 | blacklist snd_pcm |
|
447 | blacklist snd_pcm | |
| 448 | blacklist snd_pcm_dmaengine |
|
448 | blacklist snd_pcm_dmaengine | |
| 449 | blacklist snd_timer |
|
449 | blacklist snd_timer | |
| 450 | blacklist snd_compress |
|
450 | blacklist snd_compress | |
| 451 | blacklist snd_soc_pcm512x_i2c |
|
451 | blacklist snd_soc_pcm512x_i2c | |
| 452 | blacklist snd_soc_pcm512x |
|
452 | blacklist snd_soc_pcm512x | |
| 453 | blacklist snd_soc_tas5713 |
|
453 | blacklist snd_soc_tas5713 | |
| 454 | blacklist snd_soc_wm8804 |
|
454 | blacklist snd_soc_wm8804 | |
| 455 | EOM |
|
455 | EOM | |
| 456 |
|
456 | |||
| 457 | # Create default fstab |
|
457 | # Create default fstab | |
| 458 | cat <<EOM >$R/etc/fstab |
|
458 | cat <<EOM >$R/etc/fstab | |
| 459 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 |
|
459 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 | |
| 460 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 |
|
460 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 | |
| 461 | EOM |
|
461 | EOM | |
| 462 |
|
462 | |||
| 463 | # Avoid swapping and increase cache sizes |
|
463 | # Avoid swapping and increase cache sizes | |
| 464 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
464 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf | |
| 465 |
|
465 | |||
| 466 | # Avoid swapping and increase cache sizes |
|
466 | # Avoid swapping and increase cache sizes | |
| 467 | vm.swappiness=1 |
|
467 | vm.swappiness=1 | |
| 468 | vm.dirty_background_ratio=20 |
|
468 | vm.dirty_background_ratio=20 | |
| 469 | vm.dirty_ratio=40 |
|
469 | vm.dirty_ratio=40 | |
| 470 | vm.dirty_writeback_centisecs=500 |
|
470 | vm.dirty_writeback_centisecs=500 | |
| 471 | vm.dirty_expire_centisecs=6000 |
|
471 | vm.dirty_expire_centisecs=6000 | |
| 472 | EOM |
|
472 | EOM | |
| 473 |
|
473 | |||
| 474 | # Enable network stack hardening |
|
474 | # Enable network stack hardening | |
| 475 | if [ "$ENABLE_HARDNET" = true ] ; then |
|
475 | if [ "$ENABLE_HARDNET" = true ] ; then | |
| 476 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
476 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf | |
| 477 |
|
477 | |||
| 478 | # Enable network stack hardening |
|
478 | # Enable network stack hardening | |
| 479 | net.ipv4.tcp_timestamps=0 |
|
479 | net.ipv4.tcp_timestamps=0 | |
| 480 | net.ipv4.tcp_syncookies=1 |
|
480 | net.ipv4.tcp_syncookies=1 | |
| 481 | net.ipv4.conf.all.rp_filter=1 |
|
481 | net.ipv4.conf.all.rp_filter=1 | |
| 482 | net.ipv4.conf.all.accept_redirects=0 |
|
482 | net.ipv4.conf.all.accept_redirects=0 | |
| 483 | net.ipv4.conf.all.send_redirects=0 |
|
483 | net.ipv4.conf.all.send_redirects=0 | |
| 484 | net.ipv4.conf.all.accept_source_route=0 |
|
484 | net.ipv4.conf.all.accept_source_route=0 | |
| 485 | net.ipv4.conf.default.rp_filter=1 |
|
485 | net.ipv4.conf.default.rp_filter=1 | |
| 486 | net.ipv4.conf.default.accept_redirects=0 |
|
486 | net.ipv4.conf.default.accept_redirects=0 | |
| 487 | net.ipv4.conf.default.send_redirects=0 |
|
487 | net.ipv4.conf.default.send_redirects=0 | |
| 488 | net.ipv4.conf.default.accept_source_route=0 |
|
488 | net.ipv4.conf.default.accept_source_route=0 | |
| 489 | net.ipv4.conf.lo.accept_redirects=0 |
|
489 | net.ipv4.conf.lo.accept_redirects=0 | |
| 490 | net.ipv4.conf.lo.send_redirects=0 |
|
490 | net.ipv4.conf.lo.send_redirects=0 | |
| 491 | net.ipv4.conf.lo.accept_source_route=0 |
|
491 | net.ipv4.conf.lo.accept_source_route=0 | |
| 492 | net.ipv4.conf.eth0.accept_redirects=0 |
|
492 | net.ipv4.conf.eth0.accept_redirects=0 | |
| 493 | net.ipv4.conf.eth0.send_redirects=0 |
|
493 | net.ipv4.conf.eth0.send_redirects=0 | |
| 494 | net.ipv4.conf.eth0.accept_source_route=0 |
|
494 | net.ipv4.conf.eth0.accept_source_route=0 | |
| 495 | net.ipv4.icmp_echo_ignore_broadcasts=1 |
|
495 | net.ipv4.icmp_echo_ignore_broadcasts=1 | |
| 496 | net.ipv4.icmp_ignore_bogus_error_responses=1 |
|
496 | net.ipv4.icmp_ignore_bogus_error_responses=1 | |
| 497 |
|
497 | |||
| 498 | net.ipv6.conf.all.accept_redirects=0 |
|
498 | net.ipv6.conf.all.accept_redirects=0 | |
| 499 | net.ipv6.conf.all.accept_source_route=0 |
|
499 | net.ipv6.conf.all.accept_source_route=0 | |
| 500 | net.ipv6.conf.all.router_solicitations=0 |
|
500 | net.ipv6.conf.all.router_solicitations=0 | |
| 501 | net.ipv6.conf.all.accept_ra_rtr_pref=0 |
|
501 | net.ipv6.conf.all.accept_ra_rtr_pref=0 | |
| 502 | net.ipv6.conf.all.accept_ra_pinfo=0 |
|
502 | net.ipv6.conf.all.accept_ra_pinfo=0 | |
| 503 | net.ipv6.conf.all.accept_ra_defrtr=0 |
|
503 | net.ipv6.conf.all.accept_ra_defrtr=0 | |
| 504 | net.ipv6.conf.all.autoconf=0 |
|
504 | net.ipv6.conf.all.autoconf=0 | |
| 505 | net.ipv6.conf.all.dad_transmits=0 |
|
505 | net.ipv6.conf.all.dad_transmits=0 | |
| 506 | net.ipv6.conf.all.max_addresses=1 |
|
506 | net.ipv6.conf.all.max_addresses=1 | |
| 507 |
|
507 | |||
| 508 | net.ipv6.conf.default.accept_redirects=0 |
|
508 | net.ipv6.conf.default.accept_redirects=0 | |
| 509 | net.ipv6.conf.default.accept_source_route=0 |
|
509 | net.ipv6.conf.default.accept_source_route=0 | |
| 510 | net.ipv6.conf.default.router_solicitations=0 |
|
510 | net.ipv6.conf.default.router_solicitations=0 | |
| 511 | net.ipv6.conf.default.accept_ra_rtr_pref=0 |
|
511 | net.ipv6.conf.default.accept_ra_rtr_pref=0 | |
| 512 | net.ipv6.conf.default.accept_ra_pinfo=0 |
|
512 | net.ipv6.conf.default.accept_ra_pinfo=0 | |
| 513 | net.ipv6.conf.default.accept_ra_defrtr=0 |
|
513 | net.ipv6.conf.default.accept_ra_defrtr=0 | |
| 514 | net.ipv6.conf.default.autoconf=0 |
|
514 | net.ipv6.conf.default.autoconf=0 | |
| 515 | net.ipv6.conf.default.dad_transmits=0 |
|
515 | net.ipv6.conf.default.dad_transmits=0 | |
| 516 | net.ipv6.conf.default.max_addresses=1 |
|
516 | net.ipv6.conf.default.max_addresses=1 | |
| 517 |
|
517 | |||
| 518 | net.ipv6.conf.lo.accept_redirects=0 |
|
518 | net.ipv6.conf.lo.accept_redirects=0 | |
| 519 | net.ipv6.conf.lo.accept_source_route=0 |
|
519 | net.ipv6.conf.lo.accept_source_route=0 | |
| 520 | net.ipv6.conf.lo.router_solicitations=0 |
|
520 | net.ipv6.conf.lo.router_solicitations=0 | |
| 521 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 |
|
521 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 | |
| 522 | net.ipv6.conf.lo.accept_ra_pinfo=0 |
|
522 | net.ipv6.conf.lo.accept_ra_pinfo=0 | |
| 523 | net.ipv6.conf.lo.accept_ra_defrtr=0 |
|
523 | net.ipv6.conf.lo.accept_ra_defrtr=0 | |
| 524 | net.ipv6.conf.lo.autoconf=0 |
|
524 | net.ipv6.conf.lo.autoconf=0 | |
| 525 | net.ipv6.conf.lo.dad_transmits=0 |
|
525 | net.ipv6.conf.lo.dad_transmits=0 | |
| 526 | net.ipv6.conf.lo.max_addresses=1 |
|
526 | net.ipv6.conf.lo.max_addresses=1 | |
| 527 |
|
527 | |||
| 528 | net.ipv6.conf.eth0.accept_redirects=0 |
|
528 | net.ipv6.conf.eth0.accept_redirects=0 | |
| 529 | net.ipv6.conf.eth0.accept_source_route=0 |
|
529 | net.ipv6.conf.eth0.accept_source_route=0 | |
| 530 | net.ipv6.conf.eth0.router_solicitations=0 |
|
530 | net.ipv6.conf.eth0.router_solicitations=0 | |
| 531 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 |
|
531 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 | |
| 532 | net.ipv6.conf.eth0.accept_ra_pinfo=0 |
|
532 | net.ipv6.conf.eth0.accept_ra_pinfo=0 | |
| 533 | net.ipv6.conf.eth0.accept_ra_defrtr=0 |
|
533 | net.ipv6.conf.eth0.accept_ra_defrtr=0 | |
| 534 | net.ipv6.conf.eth0.autoconf=0 |
|
534 | net.ipv6.conf.eth0.autoconf=0 | |
| 535 | net.ipv6.conf.eth0.dad_transmits=0 |
|
535 | net.ipv6.conf.eth0.dad_transmits=0 | |
| 536 | net.ipv6.conf.eth0.max_addresses=1 |
|
536 | net.ipv6.conf.eth0.max_addresses=1 | |
| 537 | EOM |
|
537 | EOM | |
| 538 |
|
538 | |||
| 539 | # Enable resolver warnings about spoofed addresses |
|
539 | # Enable resolver warnings about spoofed addresses | |
| 540 | cat <<EOM >>$R/etc/host.conf |
|
540 | cat <<EOM >>$R/etc/host.conf | |
| 541 | spoof warn |
|
541 | spoof warn | |
| 542 | EOM |
|
542 | EOM | |
| 543 | fi |
|
543 | fi | |
| 544 |
|
544 | |||
| 545 | # Regenerate openssh server host keys |
|
545 | # Regenerate openssh server host keys | |
| 546 | if [ "$ENABLE_SSHD" = true ] ; then |
|
546 | if [ "$ENABLE_SSHD" = true ] ; then | |
| 547 | rm -fr $R/etc/ssh/ssh_host_* |
|
547 | rm -fr $R/etc/ssh/ssh_host_* | |
| 548 | LANG=C chroot $R dpkg-reconfigure openssh-server |
|
548 | LANG=C chroot $R dpkg-reconfigure openssh-server | |
| 549 | fi |
|
549 | fi | |
| 550 |
|
550 | |||
| 551 | # Enable serial console systemd style |
|
551 | # Enable serial console systemd style | |
| 552 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
552 | if [ "$ENABLE_CONSOLE" = true ] ; then | |
| 553 | LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service |
|
553 | LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service | |
| 554 | fi |
|
554 | fi | |
| 555 |
|
555 | |||
| 556 | # Enable firewall based on iptables started by systemd service |
|
556 | # Enable firewall based on iptables started by systemd service | |
| 557 | if [ "$ENABLE_IPTABLES" = true ] ; then |
|
557 | if [ "$ENABLE_IPTABLES" = true ] ; then | |
| 558 | # Create iptables configuration directory |
|
558 | # Create iptables configuration directory | |
| 559 | mkdir -p "$R/etc/iptables" |
|
559 | mkdir -p "$R/etc/iptables" | |
| 560 |
|
560 | |||
| 561 | # Create iptables systemd service |
|
561 | # Create iptables systemd service | |
| 562 | cat <<EOM >$R/etc/systemd/system/iptables.service |
|
562 | cat <<EOM >$R/etc/systemd/system/iptables.service | |
| 563 | [Unit] |
|
563 | [Unit] | |
| 564 | Description=Packet Filtering Framework |
|
564 | Description=Packet Filtering Framework | |
| 565 | DefaultDependencies=no |
|
565 | DefaultDependencies=no | |
| 566 | After=systemd-sysctl.service |
|
566 | After=systemd-sysctl.service | |
| 567 | Before=sysinit.target |
|
567 | Before=sysinit.target | |
| 568 | [Service] |
|
568 | [Service] | |
| 569 | Type=oneshot |
|
569 | Type=oneshot | |
| 570 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
570 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules | |
| 571 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
571 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules | |
| 572 | ExecStop=/etc/iptables/flush-iptables.sh |
|
572 | ExecStop=/etc/iptables/flush-iptables.sh | |
| 573 | RemainAfterExit=yes |
|
573 | RemainAfterExit=yes | |
| 574 | [Install] |
|
574 | [Install] | |
| 575 | WantedBy=multi-user.target |
|
575 | WantedBy=multi-user.target | |
| 576 | EOM |
|
576 | EOM | |
| 577 |
|
577 | |||
| 578 | # Create flush-table script called by iptables service |
|
578 | # Create flush-table script called by iptables service | |
| 579 | cat <<EOM >$R/etc/iptables/flush-iptables.sh |
|
579 | cat <<EOM >$R/etc/iptables/flush-iptables.sh | |
| 580 | #!/bin/sh |
|
580 | #!/bin/sh | |
| 581 | iptables -F |
|
581 | iptables -F | |
| 582 | iptables -X |
|
582 | iptables -X | |
| 583 | iptables -t nat -F |
|
583 | iptables -t nat -F | |
| 584 | iptables -t nat -X |
|
584 | iptables -t nat -X | |
| 585 | iptables -t mangle -F |
|
585 | iptables -t mangle -F | |
| 586 | iptables -t mangle -X |
|
586 | iptables -t mangle -X | |
| 587 | iptables -P INPUT ACCEPT |
|
587 | iptables -P INPUT ACCEPT | |
| 588 | iptables -P FORWARD ACCEPT |
|
588 | iptables -P FORWARD ACCEPT | |
| 589 | iptables -P OUTPUT ACCEPT |
|
589 | iptables -P OUTPUT ACCEPT | |
| 590 | EOM |
|
590 | EOM | |
| 591 |
|
591 | |||
| 592 | # Create iptables rule file |
|
592 | # Create iptables rule file | |
| 593 | cat <<EOM >$R/etc/iptables/iptables.rules |
|
593 | cat <<EOM >$R/etc/iptables/iptables.rules | |
| 594 | *filter |
|
594 | *filter | |
| 595 | :INPUT DROP [0:0] |
|
595 | :INPUT DROP [0:0] | |
| 596 | :FORWARD DROP [0:0] |
|
596 | :FORWARD DROP [0:0] | |
| 597 | :OUTPUT ACCEPT [0:0] |
|
597 | :OUTPUT ACCEPT [0:0] | |
| 598 | :TCP - [0:0] |
|
598 | :TCP - [0:0] | |
| 599 | :UDP - [0:0] |
|
599 | :UDP - [0:0] | |
| 600 | :SSH - [0:0] |
|
600 | :SSH - [0:0] | |
| 601 |
|
601 | |||
| 602 | # Rate limit ping requests |
|
602 | # Rate limit ping requests | |
| 603 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
603 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |
| 604 | -A INPUT -p icmp --icmp-type echo-request -j DROP |
|
604 | -A INPUT -p icmp --icmp-type echo-request -j DROP | |
| 605 |
|
605 | |||
| 606 | # Accept established connections |
|
606 | # Accept established connections | |
| 607 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
607 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| 608 |
|
608 | |||
| 609 | # Accept all traffic on loopback interface |
|
609 | # Accept all traffic on loopback interface | |
| 610 | -A INPUT -i lo -j ACCEPT |
|
610 | -A INPUT -i lo -j ACCEPT | |
| 611 |
|
611 | |||
| 612 | # Drop packets declared invalid |
|
612 | # Drop packets declared invalid | |
| 613 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
613 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| 614 |
|
614 | |||
| 615 | # SSH rate limiting |
|
615 | # SSH rate limiting | |
| 616 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
616 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |
| 617 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
617 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |
| 618 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
618 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |
| 619 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
619 | -A SSH -m recent --name sshbf --set -j ACCEPT | |
| 620 |
|
620 | |||
| 621 | # Send TCP and UDP connections to their respective rules chain |
|
621 | # Send TCP and UDP connections to their respective rules chain | |
| 622 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
622 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
| 623 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
623 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
| 624 |
|
624 | |||
| 625 | # Reject dropped packets with a RFC compliant responce |
|
625 | # Reject dropped packets with a RFC compliant responce | |
| 626 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
|
626 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | |
| 627 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst |
|
627 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst | |
| 628 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable |
|
628 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable | |
| 629 |
|
629 | |||
| 630 | ## TCP PORT RULES |
|
630 | ## TCP PORT RULES | |
| 631 | # -A TCP -p tcp -j LOG |
|
631 | # -A TCP -p tcp -j LOG | |
| 632 |
|
632 | |||
| 633 | ## UDP PORT RULES |
|
633 | ## UDP PORT RULES | |
| 634 | # -A UDP -p udp -j LOG |
|
634 | # -A UDP -p udp -j LOG | |
| 635 |
|
635 | |||
| 636 | COMMIT |
|
636 | COMMIT | |
| 637 | EOM |
|
637 | EOM | |
| 638 |
|
638 | |||
| 639 | # Reload systemd configuration and enable iptables service |
|
639 | # Reload systemd configuration and enable iptables service | |
| 640 | LANG=C chroot $R systemctl daemon-reload |
|
640 | LANG=C chroot $R systemctl daemon-reload | |
| 641 | LANG=C chroot $R systemctl enable iptables.service |
|
641 | LANG=C chroot $R systemctl enable iptables.service | |
| 642 |
|
642 | |||
| 643 | if [ "$ENABLE_IPV6" = true ] ; then |
|
643 | if [ "$ENABLE_IPV6" = true ] ; then | |
| 644 | # Create ip6tables systemd service |
|
644 | # Create ip6tables systemd service | |
| 645 | cat <<EOM >$R/etc/systemd/system/ip6tables.service |
|
645 | cat <<EOM >$R/etc/systemd/system/ip6tables.service | |
| 646 | [Unit] |
|
646 | [Unit] | |
| 647 | Description=Packet Filtering Framework |
|
647 | Description=Packet Filtering Framework | |
| 648 | DefaultDependencies=no |
|
648 | DefaultDependencies=no | |
| 649 | After=systemd-sysctl.service |
|
649 | After=systemd-sysctl.service | |
| 650 | Before=sysinit.target |
|
650 | Before=sysinit.target | |
| 651 | [Service] |
|
651 | [Service] | |
| 652 | Type=oneshot |
|
652 | Type=oneshot | |
| 653 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
653 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |
| 654 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
654 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |
| 655 | ExecStop=/etc/iptables/flush-ip6tables.sh |
|
655 | ExecStop=/etc/iptables/flush-ip6tables.sh | |
| 656 | RemainAfterExit=yes |
|
656 | RemainAfterExit=yes | |
| 657 | [Install] |
|
657 | [Install] | |
| 658 | WantedBy=multi-user.target |
|
658 | WantedBy=multi-user.target | |
| 659 | EOM |
|
659 | EOM | |
| 660 |
|
660 | |||
| 661 | # Create ip6tables file |
|
661 | # Create ip6tables file | |
| 662 | cat <<EOM >$R/etc/iptables/flush-ip6tables.sh |
|
662 | cat <<EOM >$R/etc/iptables/flush-ip6tables.sh | |
| 663 | #!/bin/sh |
|
663 | #!/bin/sh | |
| 664 | ip6tables -F |
|
664 | ip6tables -F | |
| 665 | ip6tables -X |
|
665 | ip6tables -X | |
| 666 | ip6tables -Z |
|
666 | ip6tables -Z | |
| 667 | for table in $(</proc/net/ip6_tables_names) |
|
667 | for table in $(</proc/net/ip6_tables_names) | |
| 668 | do |
|
668 | do | |
| 669 | ip6tables -t \$table -F |
|
669 | ip6tables -t \$table -F | |
| 670 | ip6tables -t \$table -X |
|
670 | ip6tables -t \$table -X | |
| 671 | ip6tables -t \$table -Z |
|
671 | ip6tables -t \$table -Z | |
| 672 | done |
|
672 | done | |
| 673 | ip6tables -P INPUT ACCEPT |
|
673 | ip6tables -P INPUT ACCEPT | |
| 674 | ip6tables -P OUTPUT ACCEPT |
|
674 | ip6tables -P OUTPUT ACCEPT | |
| 675 | ip6tables -P FORWARD ACCEPT |
|
675 | ip6tables -P FORWARD ACCEPT | |
| 676 | EOM |
|
676 | EOM | |
| 677 |
|
677 | |||
| 678 | # Create ip6tables rule file |
|
678 | # Create ip6tables rule file | |
| 679 | cat <<EOM >$R/etc/iptables/ip6tables.rules |
|
679 | cat <<EOM >$R/etc/iptables/ip6tables.rules | |
| 680 | *filter |
|
680 | *filter | |
| 681 | :INPUT DROP [0:0] |
|
681 | :INPUT DROP [0:0] | |
| 682 | :FORWARD DROP [0:0] |
|
682 | :FORWARD DROP [0:0] | |
| 683 | :OUTPUT ACCEPT [0:0] |
|
683 | :OUTPUT ACCEPT [0:0] | |
| 684 | :TCP - [0:0] |
|
684 | :TCP - [0:0] | |
| 685 | :UDP - [0:0] |
|
685 | :UDP - [0:0] | |
| 686 | :SSH - [0:0] |
|
686 | :SSH - [0:0] | |
| 687 |
|
687 | |||
| 688 | # Drop packets with RH0 headers |
|
688 | # Drop packets with RH0 headers | |
| 689 | -A INPUT -m rt --rt-type 0 -j DROP |
|
689 | -A INPUT -m rt --rt-type 0 -j DROP | |
| 690 | -A OUTPUT -m rt --rt-type 0 -j DROP |
|
690 | -A OUTPUT -m rt --rt-type 0 -j DROP | |
| 691 | -A FORWARD -m rt --rt-type 0 -j DROP |
|
691 | -A FORWARD -m rt --rt-type 0 -j DROP | |
| 692 |
|
692 | |||
| 693 | # Rate limit ping requests |
|
693 | # Rate limit ping requests | |
| 694 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
694 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |
| 695 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP |
|
695 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP | |
| 696 |
|
696 | |||
| 697 | # Accept established connections |
|
697 | # Accept established connections | |
| 698 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
698 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| 699 |
|
699 | |||
| 700 | # Accept all traffic on loopback interface |
|
700 | # Accept all traffic on loopback interface | |
| 701 | -A INPUT -i lo -j ACCEPT |
|
701 | -A INPUT -i lo -j ACCEPT | |
| 702 |
|
702 | |||
| 703 | # Drop packets declared invalid |
|
703 | # Drop packets declared invalid | |
| 704 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
704 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| 705 |
|
705 | |||
| 706 | # SSH rate limiting |
|
706 | # SSH rate limiting | |
| 707 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
707 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |
| 708 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
708 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |
| 709 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
709 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |
| 710 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
710 | -A SSH -m recent --name sshbf --set -j ACCEPT | |
| 711 |
|
711 | |||
| 712 | # Send TCP and UDP connections to their respective rules chain |
|
712 | # Send TCP and UDP connections to their respective rules chain | |
| 713 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
713 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
| 714 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
714 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
| 715 |
|
715 | |||
| 716 | # Reject dropped packets with a RFC compliant responce |
|
716 | # Reject dropped packets with a RFC compliant responce | |
| 717 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited |
|
717 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited | |
| 718 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited |
|
718 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited | |
| 719 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited |
|
719 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited | |
| 720 |
|
720 | |||
| 721 | ## TCP PORT RULES |
|
721 | ## TCP PORT RULES | |
| 722 | # -A TCP -p tcp -j LOG |
|
722 | # -A TCP -p tcp -j LOG | |
| 723 |
|
723 | |||
| 724 | ## UDP PORT RULES |
|
724 | ## UDP PORT RULES | |
| 725 | # -A UDP -p udp -j LOG |
|
725 | # -A UDP -p udp -j LOG | |
| 726 |
|
726 | |||
| 727 | COMMIT |
|
727 | COMMIT | |
| 728 | EOM |
|
728 | EOM | |
| 729 |
|
729 | |||
| 730 | # Reload systemd configuration and enable iptables service |
|
730 | # Reload systemd configuration and enable iptables service | |
| 731 | LANG=C chroot $R systemctl daemon-reload |
|
731 | LANG=C chroot $R systemctl daemon-reload | |
| 732 | LANG=C chroot $R systemctl enable ip6tables.service |
|
732 | LANG=C chroot $R systemctl enable ip6tables.service | |
| 733 | fi |
|
733 | fi | |
| 734 | fi |
|
734 | fi | |
| 735 |
|
735 | |||
| 736 | # Remove SSHD related iptables rules |
|
736 | # Remove SSHD related iptables rules | |
| 737 | if [ "$ENABLE_SSHD" = false ] ; then |
|
737 | if [ "$ENABLE_SSHD" = false ] ; then | |
| 738 | sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null |
|
738 | sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null | |
| 739 | sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null |
|
739 | sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null | |
| 740 | fi |
|
740 | fi | |
| 741 |
|
741 | |||
| 742 | # Install gcc/c++ build environment inside the chroot |
|
742 | # Install gcc/c++ build environment inside the chroot | |
| 743 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then |
|
743 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then | |
| 744 | LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc |
|
744 | LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc | |
| 745 | fi |
|
745 | fi | |
| 746 |
|
746 | |||
| 747 | # Fetch and build U-Boot bootloader |
|
747 | # Fetch and build U-Boot bootloader | |
| 748 | if [ "$ENABLE_UBOOT" = true ] ; then |
|
748 | if [ "$ENABLE_UBOOT" = true ] ; then | |
| 749 | # Fetch U-Boot bootloader sources |
|
749 | # Fetch U-Boot bootloader sources | |
| 750 | git -C $R/tmp clone git://git.denx.de/u-boot.git |
|
750 | git -C $R/tmp clone git://git.denx.de/u-boot.git | |
| 751 |
|
751 | |||
| 752 | # Build and install U-Boot inside chroot |
|
752 | # Build and install U-Boot inside chroot | |
| 753 | LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all |
|
753 | LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all | |
| 754 |
|
754 | |||
| 755 | # Copy compiled bootloader binary and set config.txt to load it |
|
755 | # Copy compiled bootloader binary and set config.txt to load it | |
| 756 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ |
|
756 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ | |
| 757 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt |
|
757 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt | |
| 758 |
|
758 | |||
| 759 | # Set U-Boot command file |
|
759 | # Set U-Boot command file | |
| 760 | cat <<EOM >$R/boot/firmware/uboot.mkimage |
|
760 | cat <<EOM >$R/boot/firmware/uboot.mkimage | |
| 761 | # Tell Linux that it is booting on a Raspberry Pi2 |
|
761 | # Tell Linux that it is booting on a Raspberry Pi2 | |
| 762 | setenv machid 0x00000c42 |
|
762 | setenv machid 0x00000c42 | |
| 763 |
|
763 | |||
| 764 | # Set the kernel boot command line |
|
764 | # Set the kernel boot command line | |
| 765 | setenv bootargs "earlyprintk ${CMDLINE}" |
|
765 | setenv bootargs "earlyprintk ${CMDLINE}" | |
| 766 |
|
766 | |||
| 767 | # Save these changes to u-boot's environment |
|
767 | # Save these changes to u-boot's environment | |
| 768 | saveenv |
|
768 | saveenv | |
| 769 |
|
769 | |||
| 770 | # Load the existing Linux kernel into RAM |
|
770 | # Load the existing Linux kernel into RAM | |
| 771 | fatload mmc 0:1 \${kernel_addr_r} kernel7.img |
|
771 | fatload mmc 0:1 \${kernel_addr_r} kernel7.img | |
| 772 |
|
772 | |||
| 773 | # Boot the kernel we have just loaded |
|
773 | # Boot the kernel we have just loaded | |
| 774 | bootz \${kernel_addr_r} |
|
774 | bootz \${kernel_addr_r} | |
| 775 | EOM |
|
775 | EOM | |
| 776 |
|
776 | |||
| 777 | # Generate U-Boot image from command file |
|
777 | # Generate U-Boot image from command file | |
| 778 | LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr |
|
778 | LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr | |
| 779 | fi |
|
779 | fi | |
| 780 |
|
780 | |||
| 781 | # Fetch and build fbturbo Xorg driver |
|
781 | # Fetch and build fbturbo Xorg driver | |
| 782 | if [ "$ENABLE_FBTURBO" = true ] ; then |
|
782 | if [ "$ENABLE_FBTURBO" = true ] ; then | |
| 783 | # Fetch fbturbo driver sources |
|
783 | # Fetch fbturbo driver sources | |
| 784 | git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git |
|
784 | git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git | |
| 785 |
|
785 | |||
| 786 | # Install Xorg build dependencies |
|
786 | # Install Xorg build dependencies | |
| 787 | LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev |
|
787 | LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev | |
| 788 |
|
788 | |||
| 789 | # Build and install fbturbo driver inside chroot |
|
789 | # Build and install fbturbo driver inside chroot | |
| 790 | LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install" |
|
790 | LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install" | |
| 791 |
|
791 | |||
| 792 | # Add fbturbo driver to Xorg configuration |
|
792 | # Add fbturbo driver to Xorg configuration | |
| 793 | cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf |
|
793 | cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf | |
| 794 | Section "Device" |
|
794 | Section "Device" | |
| 795 | Identifier "Allwinner A10/A13 FBDEV" |
|
795 | Identifier "Allwinner A10/A13 FBDEV" | |
| 796 | Driver "fbturbo" |
|
796 | Driver "fbturbo" | |
| 797 | Option "fbdev" "/dev/fb0" |
|
797 | Option "fbdev" "/dev/fb0" | |
| 798 | Option "SwapbuffersWait" "true" |
|
798 | Option "SwapbuffersWait" "true" | |
| 799 | EndSection |
|
799 | EndSection | |
| 800 | EOM |
|
800 | EOM | |
| 801 |
|
801 | |||
| 802 | # Remove Xorg build dependencies |
|
802 | # Remove Xorg build dependencies | |
| 803 | LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev |
|
803 | LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev | |
| 804 | fi |
|
804 | fi | |
| 805 |
|
805 | |||
| 806 | # Remove gcc/c++ build environment from the chroot |
|
806 | # Remove gcc/c++ build environment from the chroot | |
| 807 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then |
|
807 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then | |
| 808 | LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make |
|
808 | LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make | |
| 809 | fi |
|
809 | fi | |
| 810 |
|
810 | |||
| 811 | # Clean cached downloads |
|
811 | # Clean cached downloads | |
| 812 | LANG=C chroot $R apt-get -y clean |
|
812 | LANG=C chroot $R apt-get -y clean | |
| 813 | LANG=C chroot $R apt-get -y autoclean |
|
813 | LANG=C chroot $R apt-get -y autoclean | |
| 814 | LANG=C chroot $R apt-get -y autoremove |
|
814 | LANG=C chroot $R apt-get -y autoremove | |
| 815 |
|
815 | |||
| 816 | # Unmount mounted filesystems |
|
816 | # Unmount mounted filesystems | |
| 817 | umount -l $R/proc |
|
817 | umount -l $R/proc | |
| 818 | umount -l $R/sys |
|
818 | umount -l $R/sys | |
| 819 |
|
819 | |||
| 820 | # Clean up files |
|
820 | # Clean up files | |
| 821 | rm -f $R/etc/apt/sources.list.save |
|
821 | rm -f $R/etc/apt/sources.list.save | |
| 822 | rm -f $R/etc/resolvconf/resolv.conf.d/original |
|
822 | rm -f $R/etc/resolvconf/resolv.conf.d/original | |
| 823 | rm -rf $R/run |
|
823 | rm -rf $R/run | |
| 824 | mkdir -p $R/run |
|
824 | mkdir -p $R/run | |
| 825 | rm -f $R/etc/*- |
|
825 | rm -f $R/etc/*- | |
| 826 | rm -f $R/root/.bash_history |
|
826 | rm -f $R/root/.bash_history | |
| 827 | rm -rf $R/tmp/* |
|
827 | rm -rf $R/tmp/* | |
| 828 | rm -f $R/var/lib/urandom/random-seed |
|
828 | rm -f $R/var/lib/urandom/random-seed | |
| 829 | [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id |
|
829 | [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id | |
| 830 | rm -f $R/etc/machine-id |
|
830 | rm -f $R/etc/machine-id | |
| 831 | rm -fr $R/etc/apt/apt.conf.d/10proxy |
|
831 | rm -fr $R/etc/apt/apt.conf.d/10proxy | |
| 832 |
|
832 | |||
| 833 | # Calculate size of the chroot directory |
|
833 | # Calculate size of the chroot directory in KB | |
| 834 |
CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` |
|
834 | CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'`) | |
| 835 |
|
835 | |||
| 836 | # Calculate required image size |
|
836 | # Calculate the amount of needed 512 Byte sectors | |
| 837 | IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024` |
|
837 | TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512) | |
|
|
838 | BOOT_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512) | |||
|
|
839 | ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS}) | |||
| 838 |
|
840 | |||
| 839 | # Calculate number of sectors for the partition |
|
841 | # The root partition is EXT4 | |
| 840 | IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120` |
|
842 | # This means more space than the actual used space of the chroot is used. | |
|
|
843 | # As overhead for journaling and reserved blocks 20% are added. | |||
|
|
844 | ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512) | |||
|
|
845 | ||||
|
|
846 | # Calculate required image size in 512 Byte sectors | |||
|
|
847 | IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS} + ${ROOT_SECTORS}) | |||
| 841 |
|
848 | |||
| 842 | # Prepare date string for image file name |
|
849 | # Prepare date string for image file name | |
| 843 | DATE="$(date +%Y-%m-%d)" |
|
850 | DATE="$(date +%Y-%m-%d)" | |
| 844 |
|
851 | |||
| 845 | # Prepare image file |
|
852 | # Prepare image file | |
| 846 |
dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs= |
|
853 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS} | |
| 847 |
dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs= |
|
854 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS} | |
| 848 |
|
855 | |||
| 849 | # Write partition table |
|
856 | # Write partition table | |
| 850 |
sfdisk -q |
|
857 | sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM | |
| 851 | unit: sectors |
|
858 | unit: sectors | |
| 852 |
|
859 | |||
| 853 |
1 : start= |
|
860 | 1 : start= ${TABLE_SECTORS}, size= ${BOOT_SECTORS}, Id= c, bootable | |
| 854 |
2 : start= |
|
861 | 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83 | |
| 855 | 3 : start= 0, size= 0, Id= 0 |
|
862 | 3 : start= 0, size= 0, Id= 0 | |
| 856 | 4 : start= 0, size= 0, Id= 0 |
|
863 | 4 : start= 0, size= 0, Id= 0 | |
| 857 | EOM |
|
864 | EOM | |
| 858 |
|
865 | |||
| 859 | # Set up temporary loop devices and build filesystems |
|
866 | # Set up temporary loop devices and build filesystems | |
| 860 | VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
867 | VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
| 861 |
EXT4_LOOP="$(losetup -o 65M |
|
868 | EXT4_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
| 862 | mkfs.vfat "$VFAT_LOOP" |
|
869 | mkfs.vfat "$VFAT_LOOP" | |
| 863 | mkfs.ext4 "$EXT4_LOOP" |
|
870 | mkfs.ext4 "$EXT4_LOOP" | |
| 864 |
|
871 | |||
| 865 | # Mount the temporary loop devices |
|
872 | # Mount the temporary loop devices | |
| 866 | mkdir -p "$BUILDDIR/mount" |
|
873 | mkdir -p "$BUILDDIR/mount" | |
| 867 | mount "$EXT4_LOOP" "$BUILDDIR/mount" |
|
874 | mount "$EXT4_LOOP" "$BUILDDIR/mount" | |
| 868 |
|
875 | |||
| 869 | mkdir -p "$BUILDDIR/mount/boot/firmware" |
|
876 | mkdir -p "$BUILDDIR/mount/boot/firmware" | |
| 870 | mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware" |
|
877 | mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware" | |
| 871 |
|
878 | |||
| 872 | # Copy all files from the chroot to the loop device mount point directory |
|
879 | # Copy all files from the chroot to the loop device mount point directory | |
| 873 | rsync -a "$R/" "$BUILDDIR/mount/" |
|
880 | rsync -a "$R/" "$BUILDDIR/mount/" | |
| 874 |
|
881 | |||
| 875 | # Unmount all temporary loop devices and mount points |
|
882 | # Unmount all temporary loop devices and mount points | |
| 876 | cleanup |
|
883 | cleanup | |
| 877 |
|
884 | |||
| 878 | # (optinal) create block map file for "bmaptool" |
|
885 | # (optinal) create block map file for "bmaptool" | |
| 879 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" |
|
886 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" | |
| 880 |
|
887 | |||
| 881 | # Image was successfully created |
|
888 | # Image was successfully created | |
| 882 | echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created" |
|
889 | echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created" | |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant
